24
 edits
Changes
nearing the final version!
== Delete unnecessary stuff ==
A lot of packages aren't relevant to a VPS setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console.
<code>
  rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
  # packages not applicable to a VPS setting, or which we don't use at HostGIS  # e.g. phpMyAdmin and phpPgAdmin are security holes
  cd /var/log/packages
  for pkg in \
     hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
     mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \
     smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
  do removepkg $pkg ; done
  # prune init's getty
  echo "devpts   /dev/pts   devpts   mode=0620   0  0" >> /etc/fstab
  # the startup sequence and services, even the firewall
  cd /etc/rc.d
  rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
        rc.scanluns  rc.serial rc.udev rc.sysvinit   rc.firewall
  vi rc.syslog    # delete all mentions of klogd
  vi rc.M         # delete the setterm entry
  vi rc.S         # delete the MOTD clobbering
</code>
<code>
  # clear out old/dummy SSL certificates  mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl # fix file permissionsfind / -mount -nouser -exec chown root {} \; &find / -mount -nogroup -exec chgrp root {} \; &for i in \   /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \   /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \   /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \   /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write   do chmod u-s $i ; done # fix Apache's configuration:# add ServerTokens prod# go to the htdocs Directory definition and change Indexes to -Indexes# delete the entries for phpmyadmin and phppgadminvi /etc/apache/httpd.conf # keep FTP users chrooted:echo "" >> /etc/proftpd.confecho "# keep all users chrooted to their homedir" >> /etc/proftpd.confecho "DefaultRoot ~" >> /etc/proftpd.conf
  # allow the mailq to be checked by anybody:fix file permissions  find / -mount -nouser -exec chown root {} \; &  find / -mount -nogroup -exec chgrp smmsp root {} \; &  for i in \    /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \     /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /varusr/spoolbin/mqueuetraceroute \chmod g+rx      /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \     /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /varusr/spoolbin/mqueuewrite     do chmod u-s $i ; done
== Changes to rc scripts ==
<code>
# somewhere in rc.6 add this command: touch /reboot
vi /etc/rc.d/rc.6
# somewhere in rc.M, add this command: rm -f /etc/mtab ;  ln -s /proc/mounts /etc/mtab
vi /etc/rc.d/rc.M
</code>
<code>
  # stop all services  apachectl stop  killall syslogd klogd udevd crond  /etc/rc.d/rc.sendmail stop  /etc/rc.d/rc.inetd stop  /etc/webmin/stop  /etc/rc.d/rc.pgsql stop  /etc/rc.d/rc.mysqld stop  killall named proftpdkillall xinetd
  # blow away the network configuration with dummy strings for later replacement  #    replace the IP address with __IPADDRESS_  #    replace the netmask with __NETMASK__  #    replace the GATEWAY with __GATEWAY__  vi /etc/rc.d/rc.inet1.conf
  # disable the root and user accounts  # by changing the password for root and user to a ! character.  vi /etc/shadow
  # refresh the 'locate' cache  /etc/cron.daily/slocate
  # blank out the system logfiles  for logfile in \          /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \          /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \          /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \          /var/log/apache/access_log /var/log/apache/error_log \          /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid  do cp /dev/null $logfile ; done  rmdir /var/log/sa
  # clear the SSH host key  rm -f /etc/ssh/ssh_host_*
  # database server logfiles  rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile
  # delete vi backup files, bash_history files, and other small application crud  unset HISTFILE  find / -name '*~' \          -o -name .bash_history \          -o -name .gnupg \          -o -name .lesshst \          -o -name .viminfo \          -o -name .rnd \          -delete
  # the junk anything under /tmp  rm -rf /tmp/*
</code>